PPTP VPN Setup


Recommended Posts

Hey Guys,

I'm going to be working away from Home for a while and need access to my local File Server, a VPN is the best way to achieve this however I'm currently having some issues with configuring a PPTP VPN in pfSense.

The Setup I currently have diverts all traffic intended for WAN to OPT1 (OpenVPN Connection). So if any Device asks for something from the Internet it diverts through the VPN and bypasses normal WAN.

So essentially I want to be running a VPN Client (Internet Connection) and a VPN Server (Remote Access) on the same pfSense box.

I'd like the VPN Server to listen on the WAN instead of OPT1 as I have a Static IP.

Can somebody walk me through configuring the PPTP VPN Server and setting up the relevant Firewall Rules? I've tried all the obvious and followed all the Guides I can find on the pfSense website but I simply cannot connect remotely.

Thanks

Chris

Link to comment
Share on other sites

I personally would not go with the pptp, I would do either openvpn or L2TP IPsec. I access my pfsense openvpn vpn every single day from work pretty much.

You can have road warrior setup, same time site to site.

For one openvpn is only 1 port, can be 443 vs all the ports and protocols other vpns need. It more likely to have say 443 open outbound from where your at to your pfsense then ports and protocols..

Link to comment
Share on other sites

Sweet!! Your network sure has had some drastic improvements lately ;)

So doing anything fancy with your smart switch yet?

edit: What I also like with the openvpn solution is can be very secure. Cert issued to each user if you want, password on the cert if you want, also can require auth (username and password) along with cert.

If any reason to think that cert has been compromised you can revoke it. And reissue new cert to user.

A lot of it is overkill if just you remote, but say you loose your laptop or usb where you have your openvpn config and cert. Just revoke the cert! And your good.

Only bad thing with openvpn vs say the built in windows client, is you have admin rights on the box your wanting to connect from. Normally not a problem if your just wanting to use your own laptop to get into your network while on the road. But can be a pain if trying to get in from a internet cafe or something.

Which is why I have as alternate method just SSH with public key auth, that I can use to tunnel into my network with if for some reason openvpn is down or don't have rights to use openvpn. With that all you need is putty and your cert. Nothing to install ;)

But what is really nice with openvpn using just 1 port, and even can bounce off a proxy. So for example here at work vpn protocols are blocked, and have to use proxy to get out to internet -- so I just bounce off the proxy using openvpn on port 443 ;)

Link to comment
Share on other sites

Sweet!! Your network sure has had some drastic improvements lately ;)

So doing anything fancy with your smart switch yet?

Well since I lost my Job I've got plenty of time to do these kind of things and do a lot of Reading. I think I'm going to test VLANs next week!

Gimmie a list of things I should read up on for use with my Smart Switch because frankly I've not really done an awful lot with it yet.

Link to comment
Share on other sites

Well for starters I would just look to the interfaces stats, so you can see what traffic different boxes are generating. You might want to play with rate limiting? IGMP snooping could be away to lower overall traffic noise by blocking multicast traffic for devices not using it.

You might want to play with protected ports, or the mac and IP based ACLs you can create. 802.1X might be fun to play with for someone new to networking, most of this really never comes into play in your normal network. For example when would you ever need 802.1X on you home network -- do you really care to auth a device connecting to a specific port?

But you might have use of protect ports, where traffic from a protected port is not forwarded to any other protected ports only unprotected ones. You could use this to isolate a machine from talking to other devices on your network without having to setup vlans. You might want to do this for say a guest box or your play box that might get infected on the internet and not have to worry about it talking to anything else on your network.

Dude you could find things to play with for months ;) if you had gotten 2 you could play with LAG, I would run through all the features in the documentation and stuff that interests you or anything that peaks your interest ;)

Did you pick up that killawatt thing, if so you could see what differences turning on green ethernet vs non green make in actual consumption of power.

I could go on for quite some time ;)

Link to comment
Share on other sites

Only bad thing with openvpn vs say the built in windows client, is you have admin rights on the box your wanting to connect from.

The other issue is I'm connecting my Mums iMac up to this VPN so she can access my media Library. I'm using Tunnelblick as a GUI for OpenVPN as there doesn't appear to be an official client yet and it doesn't allow me to bring the VPN up at System boot. Shame cause she'll NEVER learn to connect to it.

Did you pick up that killawatt thing, if so you could see what differences turning on green ethernet vs non green make in actual consumption of power.

Unfortunately not, the Electrics are so archaic in this house that the technology won't work on it.

Link to comment
Share on other sites

You don't need a gui, you can just use a script to connect. I know you can setup a sript to run on startup

And now not the whole house elec thing just the meter you plug devices into and shows how much using keeps track of total kwh, etc

Link to comment
Share on other sites

You don't need a gui, you can just use a script to connect.

Linkage to said script?

And now not the whole house elec thing just the meter you plug devices into and shows how much using keeps track of total kwh, etc

Ahh, I see, not yet. May do in future.

Link to comment
Share on other sites

Um from my quick look at that tunnelbrick there is suppose to be a start when system starts option

"when computer starts"

So no need to create your own script, but in general with openvpn its as simple the command

openvpn configfile

put into whatever startup scripts your OS uses.

Link to comment
Share on other sites

Yeah so I just checked and there's an unofficial port of OpenVPN that works with MacPorts. May use that then create a script to bring the VPN up and maintain connectivity.

TunnelBlick does have 'start at system boot' functionality, but it doesn't work with OpenVPN Config files. But I'll look into that tonight.

Link to comment
Share on other sites

There is info about that on their website. But since I don't have a mac I can play with, its hard for me to help you through it.

Link to comment
Share on other sites

Is some minor issues with OS X and the Tun Tap Drivers with OpenVPN, but I'm fairly sure I can compile it properly with a little Elbow grease.

Link to comment
Share on other sites

Not sure why you should have to go through that hassle it seems clear from the website of the client your using that it has the ability to start with the system - just some tweak to which conf file to use, or permissions issue.

Link to comment
Share on other sites

This topic is now closed to further replies.